xmrig | 126f06426beeaaeea65331c5896590eb558405e5b924254e1aa17c3adc5c2fb3

Resubmissions

25/06/2021, 20:08

210625-1ay8ymabc6 10

24/06/2021, 06:05

210624-z3rv4e1ed2 10

Analysis

max time kernel
379s
max time network
159s
platform
windows7_x64
resource
win7v20210410
submitted
25/06/2021, 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Windows Session Manager.exe
Size

1.3MB
MD5

000e2743bf3cb96cefc4be357765cec3
SHA1

62b9b6afc91e349c56ce967985eec229f7db82aa
SHA256

126f06426beeaaeea65331c5896590eb558405e5b924254e1aa17c3adc5c2fb3
SHA512

b8298aed9d0ac929c9942ff8addce2a3b0e779093dad50fc99242542e8894fb0c45a5d4e60ed33691fc5fbcdeccfc9e50244dad6056500de8a28fddb6f6f275f

Score

10^/10

xmrig evasion miner ransomware spyware stealer

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	Windows Session Manager.exe
File created	C:\Windows\SysWOW64\drivers\en-US	Windows Session Manager.exe
File created	C:\Windows\SysWOW64\drivers\UMDF	Windows Session Manager.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\en-US	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wimmount.sys	Windows Session Manager.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\TestGet.tiff	Windows Session Manager.exe

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.[[email protected]][MJ-JR5107362498].Spyro	Windows Session Manager.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	Windows Session Manager.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.[[email protected]][MJ-JR5107362498].Spyro	Windows Session Manager.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\Media\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-afternoon_31bf3856ad364e35_6.1.7600.16385_none_2a05e57d5ab3659e\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Public\Documents\My Videos\ꡀ眳ɢ⾠vC:\Users\Public\Documents\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-wallpaper-scenes_31bf3856ad364e35_6.1.7600.16385_none_a4393b1a254aeaee\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-za-component_31bf3856ad364e35_6.1.7601.17514_none_a5926b147a413e6a\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-systemtools_31bf3856ad364e35_6.1.7600.16385_none_da623240a154f357\Desktop.ini	Windows Session Manager.exe
File created	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	Windows Session Manager.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..-gb-links-component_31bf3856ad364e35_6.1.7601.17514_none_0ea01e97df141032\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ndthemes-characters_31bf3856ad364e35_6.1.7600.16385_none_08da32b0fdad9220\Desktop.ini	Windows Session Manager.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	Windows Session Manager.exe
File created	C:\Users\Admin\Desktop\desktop.ini	Windows Session Manager.exe
File created	C:\Users\Admin\Pictures\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-characters_31bf3856ad364e35_6.1.7600.16385_none_bde0eaed84920a21\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..lpaper-architecture_31bf3856ad364e35_6.1.7600.16385_none_d99106b927aa7782\Desktop.ini	Windows Session Manager.exe
File created	C:\Users\Admin\Downloads\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\Media\Landscape\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.2.9600.16428_none_4382f60666c7c23b\desktop.ini	Windows Session Manager.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BQE06QBJ\desktop.ini	Windows Session Manager.exe
File created	C:\Program Files\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	Windows Session Manager.exe
File created	C:\Users\Admin\Favorites\desktop.ini	Windows Session Manager.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_8.0.7600.16385_none_add5a10aa4d614d5\desktop.ini	Windows Session Manager.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	Windows Session Manager.exe
File created	C:\Users\Public\Pictures\desktop.ini	Windows Session Manager.exe
File created	C:\Users\Admin\Contacts\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\Media\Raga\Desktop.ini	Windows Session Manager.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-samplemedia_31bf3856ad364e35_6.1.7600.16385_none_b6b9b223710b3802\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_6.1.7600.16385_none_73076dd9cf3a9dce\Desktop.ini	Windows Session Manager.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	Windows Session Manager.exe
File created	C:\Users\Admin\Saved Games\desktop.ini	Windows Session Manager.exe
File created	C:\$Recycle.Bin\S-1-5-21-2513283230-931923277-594887482-1000\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\Media\Heritage\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	Windows Session Manager.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AJ1NIV9I\desktop.ini	Windows Session Manager.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	Windows Session Manager.exe
File created	C:\Users\Public\Music\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\Media\Characters\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	Windows Session Manager.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	Windows Session Manager.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Windows Session Manager.exe

Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-IE-ESC	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\lpk.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\rundll32.exe	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\cxraptor_philipstuv1236d_ibv64.inf_amd64_neutral_b6a3e57df5bad299\cxraphd.rom	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmcdp.inf_amd64_neutral_170c11f3a6d3f0a8\mdmcdp.PNF	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netathrx.inf_amd64_neutral_905772087ff288af\athrx.sys	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\Storprop.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-Windows-WinIP-Package~31bf3856ad364e35~amd64~hr-HR~7.1.7601.16492.cat	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\en-US\xwizards.dll.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\en-US\WsmSvc.dll.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\prnca00d.inf_loc	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_neutral_aad30bdeec04ea5e\atapi.sys	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr005.inf_amd64_neutral_9e4cc05e0d4bcb33\Amd64\brio08bf.bcm	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPZSMWN7.GPD	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\en-US\printui.exe.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmtkr.inf_amd64_neutral_8e3809aa77440c37\mdmtkr.PNF	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00c.inf_amd64_neutral_510c36849918ce92\prnca00c.PNF	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00b.inf_amd64_neutral_2e6b718b2b177506\Amd64\EP0NRE8L.DLL	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\dpnhpast.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\msltus40.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\vdsbas.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\netmyk00.inf_loc	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPFIGLHN.DLL	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsv004.inf_amd64_neutral_fc4526bbfbd5feb1\Amd64\SV1403E3.PPD	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\_Default\UltimateE\license.rtf	Windows Session Manager.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hidbth.inf_amd64_neutral_8a1323fc68ad84af	Windows Session Manager.exe
File created	C:\Windows\SysWOW64\WCN\en-US	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-UIAnimation-WinIP-Package~31bf3856ad364e35~amd64~fi-FI~7.1.7601.16492.cat	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\tdibth.inf_amd64_neutral_6ad685957123daf1\rfcomm.sys	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\zh-CN\d2d1.dll.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\en-US\certenc.dll.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\SearchIndexer.exe	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00a.inf_amd64_neutral_d64d696193e69d7b\Amd64\CNBJ3250.TBL	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00d.inf_amd64_neutral_dd61103f3a2743d4\Amd64\EP0NOE17.DLL	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prngt003.inf_amd64_neutral_8c9aae54a5673a35\Amd64\GSC75316.GPD	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd6100t.xml	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Disk-Diagnosis-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnsv002.cat	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpf2200t.xml	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\en-US\setupapi.dll.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\replacementmanifests\nfs-servercore-repl.man	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\ro-RO\msimsg.dll.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\cryptsvc.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\mswmdm.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-Graphics-Package~31bf3856ad364e35~amd64~fi-FI~7.1.7601.16492.cat	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnlx004.inf_amd64_neutral_2cf95f307381e481\Amd64\LM2591.GPD	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnnr003.inf_amd64_neutral_c07c33bfb5764bdb\Amd64\NR13506.GPD	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsh002.inf_amd64_neutral_42b7a64f45c7554c\Amd64\SHH51N03.GPD	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\en-US\msiexec.exe.mui	Windows Session Manager.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnnr004.inf_amd64_neutral_3319ff2548f89fd8	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\polstore.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\prnca003.inf_loc	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\EP0LVR1B.DLL	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnok002.inf_amd64_neutral_616c1e9b7df7d5a9\Amd64\OKML5520.GPD	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc005.inf_amd64_neutral_31e08a1c2f933124\Amd64\RIA6500.GPD	Windows Session Manager.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky004.inf_amd64_neutral_5db759db19acd3ae\Amd64	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mchgr.inf_amd64_neutral_407146dba80d1566\breecemc.sys	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky002.inf_amd64_neutral_525d9740c77e325f\Amd64\KYW7AUTO.INI	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsh002.inf_amd64_neutral_42b7a64f45c7554c\Amd64\SHK11N01.GPD	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMETC10\applets\IMTCDIC.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\ieetwproxystub.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\averfx2swtv_noavin_x64.inf_amd64_neutral_86943dd17860e449\averfx2swtv_noavin_x64.PNF	Windows Session Manager.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\LogoBeta.png.[[email protected]][MJ-JR5107362498].Spyro	Windows Session Manager.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\RIPPLE.INF.[[email protected]][MJ-JR5107362498].Spyro	Windows Session Manager.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01473_.WMF.[[email protected]][MJ-JR5107362498].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL089.XML.[[email protected]][MJ-JR5107362498].Spyro	Windows Session Manager.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libposterize_plugin.dll.[[email protected]][MJ-JR5107362498].Spyro	Windows Session Manager.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL103.XML.[[email protected]][MJ-JR5107362498].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsColorChart.html.[[email protected]][MJ-JR5107362498].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Flow.thmx	Windows Session Manager.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00525_.WMF.[[email protected]][MJ-JR5107362498].Spyro	Windows Session Manager.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02369_.WMF.[[email protected]][MJ-JR5107362498].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\TAB_ON.GIF.[[email protected]][MJ-JR5107362498].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR38F.GIF.[[email protected]][MJ-JR5107362498].Spyro	Windows Session Manager.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+10.[[email protected]][MJ-JR5107362498].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\Hx.HxC.[[email protected]][MJ-JR5107362498].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02022_.WMF.[[email protected]][MJ-JR5107362498].Spyro	Windows Session Manager.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGLOGO.DPV.[[email protected]][MJ-JR5107362498].Spyro	Windows Session Manager.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\PROOF\MSWDS_ES.LEX	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187861.WMF	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\SplashScreen.zip	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099196.GIF.[[email protected]][MJ-JR5107362498].Spyro	Windows Session Manager.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FOLDPROJ.XML.[[email protected]][MJ-JR5107362498].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.RSA	Windows Session Manager.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Damascus.[[email protected]][MJ-JR5107362498].Spyro	Windows Session Manager.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Copenhagen.[[email protected]][MJ-JR5107362498].Spyro	Windows Session Manager.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Chihuahua.[[email protected]][MJ-JR5107362498].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\control\libwin_msg_plugin.dll	Windows Session Manager.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_bullets.gif.[[email protected]][MJ-JR5107362498].Spyro	Windows Session Manager.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK_K_COL.HXK.[[email protected]][MJ-JR5107362498].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-actions_ja.jar.[[email protected]][MJ-JR5107362498].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe	Windows Session Manager.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04195_.WMF.[[email protected]][MJ-JR5107362498].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382962.JPG.[[email protected]][MJ-JR5107362498].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office Classic.xml.[[email protected]][MJ-JR5107362498].Spyro	Windows Session Manager.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Civic.xml.[[email protected]][MJ-JR5107362498].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21390_.GIF.[[email protected]][MJ-JR5107362498].Spyro	Windows Session Manager.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_K_COL.HXK.[[email protected]][MJ-JR5107362498].Spyro	Windows Session Manager.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN095.XML.[[email protected]][MJ-JR5107362498].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WindowsFormsIntegration.dll	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\PREVIEW.GIF	Windows Session Manager.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\misc.exe.[[email protected]][MJ-JR5107362498].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\TYPE.WAV	Windows Session Manager.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152626.WMF.[[email protected]][MJ-JR5107362498].Spyro	Windows Session Manager.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00768_.WMF.[[email protected]][MJ-JR5107362498].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\Microsoft.VisualStudio.Tools.Applications.DesignTime.tlb	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0164153.JPG.[[email protected]][MJ-JR5107362498].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGSTORY.XML.[[email protected]][MJ-JR5107362498].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm	Windows Session Manager.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\status.json	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01631_.WMF	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jre7\bin\management.dll.[[email protected]][MJ-JR5107362498].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE05930_.WMF.[[email protected]][MJ-JR5107362498].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00437_.WMF.[[email protected]][MJ-JR5107362498].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14868_.GIF.[[email protected]][MJ-JR5107362498].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ExecutiveLetter.dotx.[[email protected]][MJ-JR5107362498].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jre7\bin\dtplugin\npdeployJava1.dll.[[email protected]][MJ-JR5107362498].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00459_.WMF	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Boise.[[email protected]][MJ-JR5107362498].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libfilesystem_plugin.dll.[[email protected]][MJ-JR5107362498].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Process Library.fdt	Windows Session Manager.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-e..ebargadgetresources_31bf3856ad364e35_6.1.7600.16385_none_88767a95b8bbf001\button_MCELogo_mouseout.png	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_prnky003.inf_31bf3856ad364e35_6.1.7600.16385_none_3d4c795ded41268f\Amd64\KYKM3060.GPD	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_th-th_6c5db85765f279c8.manifest	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_hu-hu_8f3b48a84cb8ca60.manifest	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-powershell_31bf3856ad364e35_6.1.7601.22396_none_65e0642b0b187577\DotNetTypes.format.ps1xml	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-naturallanguage6_31bf3856ad364e35_6.1.7601.17514_none_9fe23e2588fdee38\NlsLexicons003e.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe	Windows Session Manager.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Shell-WinIP-Package~31bf3856ad364e35~amd64~et-EE~7.1.7601.16492.cat	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_mscorlib_b77a5c561934e089_6.1.7601.17514_none_5465aa786982a1f2\normnfc.nlp	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-d2d_31bf3856ad364e35_7.1.7601.16492_none_f6dafd66fdb9c254.manifest	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-com-complus-runtime_31bf3856ad364e35_6.1.7600.16385_none_c0145b0b22c3562c\mfcsubs.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-help-datalayer_31bf3856ad364e35_6.1.7600.16385_none_c490fde17faa7eaa\Help-DataLayer.ptxml	Windows Session Manager.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ie-f12_31bf3856ad364e35_11.2.9600.16428_none_d00b4e4cfd710fb8	Windows Session Manager.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Threading.Timer.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_wiacn001.inf_31bf3856ad364e35_6.1.7600.16385_none_95eb24d2d4a0a55b\CNHC370S.DLL	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\FileMaps\$$_system32_spool_drivers_color_714407f67ff22f9d.cdf-ms	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-w..eakerstemmer-korean_31bf3856ad364e35_7.0.7600.16385_none_4bab7dfc3c082b07\noise.kor	Windows Session Manager.exe
File created	C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a	Windows Session Manager.exe
File created	C:\Windows\inf\ServiceModelOperation 3.0.0.0\0000	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-d..-usermode.resources_31bf3856ad364e35_6.1.7600.16385_en-us_22d9783c715c7b1c\wudfsvc.dll.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-deskadp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_66785ef5b68459c4.manifest	Windows Session Manager.exe
File created	C:\Windows\assembly\GAC_MSIL\napinit	Windows Session Manager.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..ponents-mdac-sqlxml_31bf3856ad364e35_6.1.7600.16385_none_75682ef78730fe19	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_ricoh.inf_31bf3856ad364e35_6.1.7600.16385_none_74eae2fb3c9f26c1\ricoh.inf	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_arrays.help.txt	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..calmediadisc-styles_31bf3856ad364e35_6.1.7600.16385_none_dac1eab162daeb45\scene_button_style_default_Thumbnail.bmp	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-babygirl_31bf3856ad364e35_6.1.7600.16385_none_b2bd01695c9021fd\curtains.png	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-atl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_9ed0ed8a645f93d5.manifest	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\x86_netfx-aspnet_personalization_sql_b03f5f7f11d50a3a_6.1.7600.16385_none_1d316289a4bdaefa\InstallPersonalization.sql	Windows Session Manager.exe
File opened for modification	C:\Windows\Media\Windows Feed Discovered.wav	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-photo-printing-wizard_31bf3856ad364e35_6.1.7601.17514_none_b30ed5baf3b15725.manifest	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-t..minsnapin.resources_31bf3856ad364e35_6.1.7600.16385_en-us_080c156cf8c8e83c\tpm.msc	Windows Session Manager.exe
File opened for modification	C:\Windows\servicing\Packages\Package_2_for_KB3109118~31bf3856ad364e35~amd64~~6.1.4.0.cat	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_prnca00d.inf_31bf3856ad364e35_6.1.7600.16385_none_de510ba10fac7008\Amd64\CNBP_291.DLL	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-ntlanman_31bf3856ad364e35_6.1.7601.17514_none_32187fb040e2395a_ntlanman.dll_0a73d68d	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-atbroker_31bf3856ad364e35_6.1.7600.16385_none_2b95a17838063e9b\AtBroker.exe	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-naturallanguage6_31bf3856ad364e35_6.1.7601.17514_none_fc00d9a9415b5f6e\NlsData0007.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_prnnr002.inf_31bf3856ad364e35_6.1.7600.16385_none_b91afcc7c666b4b2\Amd64\NRC420D.GPD	Windows Session Manager.exe
File created	C:\Windows\winsxs\msil_microsoft.powershel..orkflow.servicecore_31bf3856ad364e35_7.2.7601.16406_none_48689c23ed86432e	Windows Session Manager.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\3.5.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\inf\aspnet_state\0013\aspnet_state_perf.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4148_none_08e3747fa83e48bc\msvcp90.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\FileMaps\$$_system32_tr-tr_5f1dd1e45a1af0a7.cdf-ms	Windows Session Manager.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-icacls_31bf3856ad364e35_6.1.7600.16385_none_8ea990b7bfab3802	Windows Session Manager.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..platform-input-core_31bf3856ad364e35_6.1.7601.17514_none_2f3651e7f36d703f	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..iuminboxgames-chess_31bf3856ad364e35_6.1.7600.16385_none_d0c99374981840d5\Chess.exe	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-wmi-win32-provider_31bf3856ad364e35_6.1.7600.16385_none_22bff75d90022b80\wmipsess.mof	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_modemcsa.inf_31bf3856ad364e35_6.1.7601.17514_none_78520ca36170c34f\csamsp.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_prnky007.inf_31bf3856ad364e35_6.1.7600.16385_none_3f70c23251ba1833\Amd64\KYUD5015.GDL	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\msil_addinutil_b77a5c561934e089_6.1.7601.17514_none_1a816bc7556b71eb\AddInUtil.exe.config	Windows Session Manager.exe
File opened for modification	C:\Windows\PolicyDefinitions\PenTraining.admx	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-cmi_31bf3856ad364e35_6.1.7601.17514_none_07f44fb7712a68da.manifest	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\msil_addinprocess_b77a5c561934e089_6.1.7601.17514_none_f9a5b9a7f0e068e4\AddInProcess.exe.config	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-i..httptracingbinaries_31bf3856ad364e35_6.1.7601.17514_none_9801984a65f206f3\iisetw.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.1.7601.17514_none_affb336d34ccf2f8\unregmp2.exe	Windows Session Manager.exe
File opened for modification	C:\Windows\diagnostics\system\HomeGroup\en-US\DiagPackage.dll.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-help-mobctr_31bf3856ad364e35_6.1.7600.16385_none_ccc65589205fbbe8.manifest	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_averfx2swtv_noavin_x64.inf_31bf3856ad364e35_6.1.7600.16385_none_d09f0e4b6533fbdf\AVerFx2swtv_NoAVIN_x64.inf	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_divacx64.inf_31bf3856ad364e35_6.1.7600.16385_none_cf37cc4c5bc25dc7.manifest	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-findstr.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1feb2c60605a9440.manifest	Windows Session Manager.exe
File opened for modification	C:\Windows\Media\Sonata\Windows Notify.wav	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-networkbridge_31bf3856ad364e35_6.1.7600.16385_none_63dee2821fc69fce\bridge.sys	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\FileMaps\$$_syswow64_en-us_licenses_oem_startere_a7ee577559a95827.cdf-ms	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-c..r-name-ui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b938a9b9fe95f8de.manifest	Windows Session Manager.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

NTFS ADS 11 IoCs

description	ioc	Process
File opened for modification	C:\Users\All Users\Desktop\Updater6\Adob\:<ʾ\LNʾ\VXʾ\`b𴊾\jl񋊾\tv핈ʾ\~톤ʾ\츀ʾ\쩜ʾ\울ʾ\¦¨쌔ʾ\°²뽰ʾ\º¼믌ʾ\ÄÆ련ʾ\ÎÐ뒄ʾ\ØÚ냠ʾ\âä괼ʾ\ìîꦘʾ\öøꗴʾ\ĀĂꉐʾ\ĊČ麬ʾ\ĔĖ鬈ʾ\ĞĠ靤ʾ\ĨĪ鏀ʾ	Windows Session Manager.exe
File opened for modification	C:\Users\Public\Documents\My Music\ꡀ眳ɢ⾠vC:\Users\Public\Documents\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-2513283230-931923277-594887482-1000\desk\8:ɢ\ɢ\ɢ\¦¨ɢ\°²𵉢\º¼񌉢\ÄÆ핌ɢ\ÎÐ톨ɢ	Windows Session Manager.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-2513283230-931923277-594887482-1000\desk\8:ʕ\ʕ\ʕ\¦¨ʕ\°²	Windows Session Manager.exe
File opened for modification	C:\ProgramData\Start Menu\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\pack\8:ʕ\ ʕ\¨ªʕ\²´ʕ\¼¾󢊕\ÆÈ󹊕\ÐÒ𐊕\ÚÜ표ʕ\äæ킸ʕ\îð촔ʕ\øú쥰ʕ\ĂĄ엌ʕ\ČĎ숨ʕ\ĖĘ뺄ʕ\ĠĢ뫠ʕ\ĪĬ뜼ʕ\ĴĶ뎘ʕ\ľŀ꿴ʕ\ňŊ걐ʕ\ŒŔꢬʕ\ᑠsꔈʕ@\ŦŨꅤʕ\ŰŲ鷀ʕ\żž騜ʕ\Ɔƈ陸ʕ	Windows Session Manager.exe
File opened for modification	C:\Users\All Users\Desktop\Updater6\Adob\:<̤\LN̤\VX̤\`b񎌤\jl񥌤\tv햰̤\~툌̤\침̤\쫄̤\유̤\¦¨썼̤\°²뿘̤\º¼밴̤\ÄÆ뢐̤\ÎÐ듬̤\ØÚ녈̤\âä궤̤\ìîꨀ̤\öøꙜ̤\ĀĂꊸ̤\ĊČ鼔̤\ĔĖ魰̤\ĞĠ韌̤\ĨĪ鐨̤\ĲĴ還̤\ļľ賠̤\ņň褼̤\ŐŒ薘̤\ŚŜ致̤\ŤŦ繐̤\ŮŰ窬̤\Ÿź眈̤\ƂƄ獤̤\ƌƎ激̤\ƖƘ氜̤\ƠƢ桸̤	Windows Session Manager.exe
File opened for modification	C:\Users\Public\Documents\My Videos\ꡀ眳ɢ⾠vC:\Users\Public\Documents\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-2513283230-931923277-594887482-1000\desk\8:ʾ\ʾ\ʾ\¦¨ʾ\°²ʾ\º¼𴊾\ÄÆ񋊾\ÎÐ핈ʾ\ØÚ톤ʾ\âä츀ʾ\ìî쩜ʾ\öø울ʾ	Windows Session Manager.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-2513283230-931923277-594887482-1000\desk\8:̤\̤	Windows Session Manager.exe
File opened for modification	C:\Users\All Users\Desktop\Updater6\Adob\:<ʕ\LNʕ\VXʕ\`b󢊕\jl󹊕\tv𐊕\~표ʕ\킸ʕ\촔ʕ\쥰ʕ\¦¨엌ʕ	Windows Session Manager.exe
File opened for modification	C:\Users\Public\Documents\My Pictures\ꡀ眳ɢ⾠vC:\Users\Public\Documents\desktop.ini	Windows Session Manager.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
540	Windows Session Manager.exe
540	Windows Session Manager.exe
540	Windows Session Manager.exe
540	Windows Session Manager.exe
540	Windows Session Manager.exe
540	Windows Session Manager.exe
540	Windows Session Manager.exe
540	Windows Session Manager.exe
540	Windows Session Manager.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1396	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1396	taskmgr.exe
Token: 33	564	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	564	AUDIODG.EXE
Token: 33	564	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	564	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe

Suspicious use of SendNotifyMessage 34 IoCs

pid	Process
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 540 wrote to memory of 1972	540	Windows Session Manager.exe	27
PID 540 wrote to memory of 1972	540	Windows Session Manager.exe	27
PID 540 wrote to memory of 1972	540	Windows Session Manager.exe	27
PID 540 wrote to memory of 1972	540	Windows Session Manager.exe	27
PID 1972 wrote to memory of 1172	1972	cmd.exe	29
PID 1972 wrote to memory of 1172	1972	cmd.exe	29
PID 1972 wrote to memory of 1172	1972	cmd.exe	29
PID 1972 wrote to memory of 1172	1972	cmd.exe	29
PID 1172 wrote to memory of 1844	1172	net.exe	30
PID 1172 wrote to memory of 1844	1172	net.exe	30
PID 1172 wrote to memory of 1844	1172	net.exe	30
PID 1172 wrote to memory of 1844	1172	net.exe	30
PID 540 wrote to memory of 1800	540	Windows Session Manager.exe	31
PID 540 wrote to memory of 1800	540	Windows Session Manager.exe	31
PID 540 wrote to memory of 1800	540	Windows Session Manager.exe	31
PID 540 wrote to memory of 1800	540	Windows Session Manager.exe	31
PID 540 wrote to memory of 1772	540	Windows Session Manager.exe	33
PID 540 wrote to memory of 1772	540	Windows Session Manager.exe	33
PID 540 wrote to memory of 1772	540	Windows Session Manager.exe	33
PID 540 wrote to memory of 1772	540	Windows Session Manager.exe	33
PID 540 wrote to memory of 1728	540	Windows Session Manager.exe	35
PID 540 wrote to memory of 1728	540	Windows Session Manager.exe	35
PID 540 wrote to memory of 1728	540	Windows Session Manager.exe	35
PID 540 wrote to memory of 1728	540	Windows Session Manager.exe	35
PID 540 wrote to memory of 316	540	Windows Session Manager.exe	37
PID 540 wrote to memory of 316	540	Windows Session Manager.exe	37
PID 540 wrote to memory of 316	540	Windows Session Manager.exe	37
PID 540 wrote to memory of 316	540	Windows Session Manager.exe	37
PID 316 wrote to memory of 824	316	cmd.exe	39
PID 316 wrote to memory of 824	316	cmd.exe	39
PID 316 wrote to memory of 824	316	cmd.exe	39
PID 316 wrote to memory of 824	316	cmd.exe	39
PID 824 wrote to memory of 1332	824	net.exe	40
PID 824 wrote to memory of 1332	824	net.exe	40
PID 824 wrote to memory of 1332	824	net.exe	40
PID 824 wrote to memory of 1332	824	net.exe	40
PID 540 wrote to memory of 1472	540	Windows Session Manager.exe	41
PID 540 wrote to memory of 1472	540	Windows Session Manager.exe	41
PID 540 wrote to memory of 1472	540	Windows Session Manager.exe	41
PID 540 wrote to memory of 1472	540	Windows Session Manager.exe	41
PID 1472 wrote to memory of 1296	1472	cmd.exe	43
PID 1472 wrote to memory of 1296	1472	cmd.exe	43
PID 1472 wrote to memory of 1296	1472	cmd.exe	43
PID 1472 wrote to memory of 1296	1472	cmd.exe	43
PID 1296 wrote to memory of 1532	1296	net.exe	44
PID 1296 wrote to memory of 1532	1296	net.exe	44
PID 1296 wrote to memory of 1532	1296	net.exe	44
PID 1296 wrote to memory of 1532	1296	net.exe	44
PID 540 wrote to memory of 1692	540	Windows Session Manager.exe	45
PID 540 wrote to memory of 1692	540	Windows Session Manager.exe	45
PID 540 wrote to memory of 1692	540	Windows Session Manager.exe	45
PID 540 wrote to memory of 1692	540	Windows Session Manager.exe	45
PID 1692 wrote to memory of 1004	1692	cmd.exe	47
PID 1692 wrote to memory of 1004	1692	cmd.exe	47
PID 1692 wrote to memory of 1004	1692	cmd.exe	47
PID 1692 wrote to memory of 1004	1692	cmd.exe	47
PID 1004 wrote to memory of 544	1004	net.exe	48
PID 1004 wrote to memory of 544	1004	net.exe	48
PID 1004 wrote to memory of 544	1004	net.exe	48
PID 1004 wrote to memory of 544	1004	net.exe	48
PID 540 wrote to memory of 564	540	Windows Session Manager.exe	49
PID 540 wrote to memory of 564	540	Windows Session Manager.exe	49
PID 540 wrote to memory of 564	540	Windows Session Manager.exe	49
PID 540 wrote to memory of 564	540	Windows Session Manager.exe	49

C:\Users\Admin\AppData\Local\Temp\Windows Session Manager.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Session Manager.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSDTC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\SysWOW64\net.exe
    net stop MSDTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1172
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSDTC
      4⤵
      PID:1844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:1800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:1772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
  2⤵
  PID:1728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:316
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:824
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:1332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1296
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:1532
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop vds
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Windows\SysWOW64\net.exe
    net stop vds
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1004
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vds
      4⤵
      PID:544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  PID:564
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    PID:816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
  2⤵
  PID:436
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    PID:1516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLWriter
  2⤵
  PID:1624
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    PID:1780
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:1976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLBrowser
  2⤵
  PID:1964
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    PID:1808
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:1772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  PID:1144
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:1716
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:1396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
  2⤵
  PID:1332
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$CONTOSO1
    3⤵
    PID:1384
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$CONTOSO1
      4⤵
      PID:1548

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\UndoDismount.hta"
1⤵
- Modifies Internet Explorer settings
PID:1488

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1396

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1332

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x510
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/816-77-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download
memory/1396-94-0x000007FEFB9A1000-0x000007FEFB9A3000-memory.dmp

Filesize
8KB

Download